Lucene search
K

142 matches found

Vulnrichment
Vulnrichment
added 2025/11/13 8:27 a.m.5 views

CVE-2025-10295 Angel – Fashion Model Agency WordPress CMS Theme <= 3.2.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting

The Angel – Fashion Model Agency WordPress CMS Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting the profile media uploader in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS4.8AI score0.00161EPSS
Exploits0References2
EUVD
EUVD
added 2025/11/13 7:27 a.m.8 views

EUVD-2025-158262

The AI Engine plugin for WordPress is vulnerable to PHP Object Injection via PHAR Deserialization in all versions up to, and including, 3.1.8 via deserialization of untrusted input in the 'restsimpleTranscribeAudio' and 'restsimpleVisionQuery' functions. This makes it possible for authenticated...

7.1CVSS6.5AI score0.00358EPSS
Exploits0References7
CVE
CVE
added 2025/11/11 3:30 a.m.14 views

CVE-2025-11168

CVE-2025-11168 (Mementor Core, WordPress) The vulnerability affects Mementor Core plugin for WordPress versions up to 2.2.5. It stems from improper handling of the user switch-back function, enabling authenticated attackers with Subscriber-level access or higher to escalate to an administrator ac...

8.8CVSS5.5AI score0.00309EPSS
Exploits0References3
CVE
CVE
added 2025/11/08 3:27 a.m.11 views

CVE-2025-12167

CVE-2025-12167 affects the WordPress plugin “Contact Form 7 AWeber Extension” (versions through 0.1.42). The root cause is a missing capability check on the AJAX endpoint named wp_ajax_aweber_logreset, allowing authenticated users with Subscriber-level access and above to modify data by resetting...

4.3CVSS4.7AI score0.00194EPSS
Exploits0References2
NVD
NVD
added 2025/11/06 6:15 a.m.7 views

CVE-2025-12560

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 8.6.0 via the getFullContent function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make we...

4.3CVSS0.00195EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/11/02 6:43 a.m.13 views

CVE-2025-6574

The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and excluding, 6.1. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for...

8.8CVSS6.6AI score0.00277EPSS
Exploits0References1
NVD
NVD
added 2025/11/01 6:15 a.m.6 views

CVE-2025-11740

The wpForo Forum plugin for WordPress is vulnerable to SQL Injection via the Subscriptions Manager in all versions up to, and including, 2.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

6.5CVSS0.00252EPSS
Exploits0References2
CVE
CVE
added 2025/10/16 6:47 a.m.20 views

CVE-2025-10706

CVE-2025-10706 pertains to the Classified Pro WordPress theme. Wordfence and CVE records confirm a missing capability check in cwp_addons_update_plugin_cb across all versions

8.8CVSS6.3AI score0.00584EPSS
Exploits0References2
NVD
NVD
added 2025/09/12 3:15 a.m.6 views

CVE-2025-10269

The Spirit Framework plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.2.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .php files on the server, allowing the executi...

7.5CVSS0.00519EPSS
Exploits0References2
NVD
NVD
added 2025/09/03 12:15 a.m.6 views

CVE-2025-9260

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to PHP Object Injection in versions 5.1.16 to 6.1.1 via deserialization of untrusted input in the parseUserProperties function. This makes it possible for authenticated...

6.5CVSS0.0053EPSS
Exploits0References3
CVE
CVE
added 2025/08/28 3:42 a.m.22 views

CVE-2025-9345

CVE-2025-9345 : Path Traversal to Arbitrary File Download in the WordPress plugin “File Manager, Code Editor, and Backup by Managefy.” Affected versions: all up to 1.4.8. Root cause per sources: authenticated users (Subscriber level and higher) can leverage ajax_downloadfile() to access files out...

4.9CVSS7AI score0.00465EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/08/25 5:32 a.m.4 views

CVE-2025-9048

The Wptobe-memberships plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delimgajaxcall function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

8.1CVSS8AI score0.00588EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/08/23 4:25 a.m.3 views

CVE-2025-9048 Wptobe-memberships <= 3.4.2 - Authenticated (Subscriber+) Arbitrary File Deletion

The Wptobe-memberships plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delimgajaxcall function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

8.1CVSS7.9AI score0.00588EPSS
Exploits0References3
Patchstack
Patchstack
added 2025/08/19 11:42 p.m.7 views

WordPress ColorMag plugin <= 4.0.19 - Missing Authorization to Authenticated (Subscriber+) ThemeGrill Demo Importer Plugin Installation vulnerability

Missing Authorization to Authenticated Subscriber+ ThemeGrill Demo Importer Plugin Installation vulnerability discovered by Dmitrii Ignatyev in WordPress Theme ColorMag versions = 4.0.19...

4.3CVSS7AI score0.0022EPSS
Exploits0References1Affected Software1
GithubExploit
GithubExploit
added 2025/08/02 9:22 a.m.375 views

Exploit for CVE-2025-7847

CVE-2025-7847 Wordpress Plugin Authenticated Subscriber Arbitr...

8.8CVSS6.5AI score0.01057EPSS
Exploits2
GithubExploit
GithubExploit
added 2025/08/02 9:22 a.m.360 views

Exploit for CVE-2025-7847

CVE-2025-7847 Wordpress Plugin Authenticated Subscriber Arbitr...

8.8CVSS6.5AI score0.01057EPSS
Exploits2
RedhatCVE
RedhatCVE
added 2025/05/23 3:20 a.m.8 views

CVE-2023-2415

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcitalogoutcallback function in versions up to, and including, 4.2.10. This makes it possible for authenticated attacker...

5.4CVSS5.1AI score0.00698EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2025/05/23 2:33 a.m.6 views

CVE-2023-1337

The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the clearuucsslogs function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to delete...

4.3CVSS5.1AI score0.01024EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/22 11:24 p.m.6 views

CVE-2022-4028

The Simple:Press plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'postitem' parameter manipulated during the profile-save action when modifying a profile signature in versions up to, and including, 6.8 due to insufficient input sanitization and output escaping that makes...

6.4CVSS4.2AI score0.00495EPSS
Exploits0References1
Patchstack
Patchstack
added 2025/03/08 3:57 a.m.8 views

WordPress WP-Recall plugin <= 16.26.10 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Exeuction vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Shortcode Exeuction vulnerability discovered by Krzysztof Zając in WordPress Plugin WP-Recall versions = 16.26.10...

6.3CVSS9.1AI score0.0031EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder